The encrypted chat app Threema has had an audit of the code of the app. No major vulnerabilities were found there. The audit is a first step towards making the entire code available open source.
Threema for Android, November 2020Threema had the audit carried out by the German pen test company Cure53 . The company concludes in the final report that Threema’s codebase “can only be described as unusually solid.” The pen testers discovered seven minor vulnerabilities within the scope of the study. These would not directly endanger the reliability of the app.
However, the researchers note that the app on Android in particular is so complex that ‘a thorough security analysis is unrealistic’. “It is therefore very important to say that this security investigation should not be seen as exhaustive ,” the report said. For the iOS app, however, the app has a ‘strong cryptographic integration’, and that the app is difficult to attack.
The audit is a new step towards making the app open source . Threema announced in September that it wants to make the code fully available, but wanted to do an audit first. “Just making the software public does not guarantee that experts will bother to systematically examine the code. Software of Threema’s size requires not only technical knowledge, but also a lot of time.” Incidentally, it is not the company’s first audit. In March 2019, it also had the code reviewed by the University of Münster .